Issue description

Received external report: #686499149. I've asked whether he has a Google account to add to the bug. Hopefully, he'll get back to me soon.
=================
I've discovered that Google Chrome as distributed for Linux uses the
LD_LIBRARY_PATH environment variable unsafely in its startup script.
The following line in /usr/bin/google-chrome sets this variable:
LD_LIBRARY_PATH="$PROGDIR:$PROGDIR/lib:$LD_LIBRARY_PATH"
Note that if LD_LIBRARY_PATH is previously unset, as will usually be
the case, this leaves a dangling ":" at the end of the variable, which
is interpreted by the linker as the current directory. Therefore, if
a user could be enticed into opening the Chrome browser from an
attacker-controlled directory, that attacker could easily load
maliciously crafted libraries in place of legitimate ones. This can
be trivially verified by placing a blank "libc.so.6" file in a
directory and attempting to launch google-chrome from there. I have
been unable to determine a remote vector for this issue.
This can easily be fixed by verifying that the LD_LIBRARY_PATH
environment variable is set before using it in a subsequent
assignment. Please keep me posted on any progress, including whether
this will be assigned a CVE identifier, etc.
=============